I installed db_connect 3.1.2 on search head of SHC mode. I will output result to MySQL db from splunk search. I tried the following two methods, but MySQL database still has no data
search (alert type is real-time,use admin permission):
index=attackinfo|field _time src_ip dst_ip result system
1、save as an alert , add DBX output alert action
trigger action
OR
2、add |dbxoutput output="outputAttackinfoToLiveMap"
at the end of search
When some events passing through the search window,these events not output to MySQL?why?but I open search to running second search statement , These events are written to the MySQL
why event is not written to the Mysql when it is saved as a alert. but running search statement that can output to mysql db! I tried to modify the alert type to a cron expression,
-1m@m
@m
*/1 * * * *
but still so
The question still not resolved, and no one knows why?
Hi,
I am not sure, but as per doc :
DB Connect 3 does not support running scheduled task (input or output) on the search head in the Search head cluster deployment. You must run the scheduled task on a heavy forwarder.
Also, can you tell me database output setting you configured? Refer this doc:
http://docs.splunk.com/Documentation/DBX/3.1.1/DeployDBX/Createandmanagedatabaseoutputs
hi, @p_gurav
not support running scheduled task.
When I configure output , one option is "Scheduling", but I didn't check it, so I chose to use alert to output to MySQL database.
Do you mean scheduled task that refer to this option?
Ok. can you share database output you created?
@p_gurav
[outputAttackinfoToLiveMap]
connection = Connection_LiveMap
customized_mappings = src_ip:clientip:12,dst_ip:ipstr:12,result:attacktype:12;_time:attacktime:4,system:system:12
disabled=0
interval=* * * * * ?
is_saved_search = 0
query_timeout=
scheduled = 0
search = index=attackinfo|field _time src_ip dst_ip result system
table_name = `livemap`.`attack_log`
ui_query_catalog = livemap
ui_query_table = attack_log
using_upsert=0
This is what I entered manually,Because I can't copy information from the intranet